Hi all,
Am Donnerstag, den 31.01.2019, 18:17 +0000 schrieb Michael Tremer:
Hello guys,
So we have had many many conversations about DNS-over-TLS on this list and on the weekly phone calls, I would like to make a plan now to finally get this into the distribution. We have already ticked some boxes:
- Unbound is there and compiled with support for DoT
- OpenSSL 1.1.1 is in next - has TLSv1.3 - not essentially necessary
but makes this faster
- We have TCP Fast Open enabled in next
should we integrate knot (kdig) too ? Have compiled a minimal version with kdig only. The only needed dependency was libedit (no need for userspace and libmaxminddb). unbound serves also log entries for authentication but this only in verb 5 which makes the logs a lot bigger and some informations are also not available in that way. Have pushed already the minimal version to Git which can be found in here --> https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=726479fc...
Then there is a CGI from Erik which makes editing the upstream name servers really nice. Last time we talked about how to actually get that integrated into the whole lot of the other things. There is by now at least three different places where DNS servers are being configured. A fourth one will make things even more confusing as they are. I would like to get rid of the old ones and only use the new one then.
May this can be solved via an selection menu at the top of the CGI ? If yes what menu names should there be used ? May different CGI config files can be produced but it might be nice if all are in one place, may under /var/ipfire/dns ?
We also will need some switches for some basic configuration:
- DNS-over-TLS enforced? I think everyone who uses DoT wants this
enabled
There is always the need to know beneath the IP also the hostname while configuration which is used for the verification of the TLS certificate.
Syntax: forward-addr: ip@port#hostname
- DNSSEC permissive mode - some requested this and I am still opposed
to offer this, but hey
- QNAME minimisation
- Recursor mode?!
I guess this can all be on the same CGI with the list of servers to use.
Via settings file under /var/ipfire/dns ?
Finally, we will have to update the initscript that checks DNS servers right now. It needs to be stripped down as much us possible because it is otherwise unmaintainable.
In the current version the whole update_forwarders() function is disabled if DoT is active which might be a startpoint for that...
This is my view on things right now. Status is about four weeks old. Maybe more things have happened in the meantime.
Have pushed the current development state which can be found in here --> https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=ae1bc6ec...
have had not that much time the last days and it is currently also not that much available but i was working on a in- uninstaller for the whole 'DoT with WUI' thing in hope to get some more testers which can be found in here --> https://gitlab.com/ummeegge/dot-for-ipfire/tree/master/dot_wui this one is also announced in the IPFire forum --> https://forum.ipfire.org/viewtopic.php?f=50&t=21954 and a fast made video of howto in- uninstall all that can be found in here --> https://people.ipfire.org/~ummeegge/videos/dnsovertls.mp4 it´s not a Holywood movie :D but i thought may somethings getting a little clearer also for NON-programmers or NON-admins.
Another thing which i was working on was a possiblity to test also the configuered servers for 1) Encryption 2) Authentication 3) Query time 4) DNSSEC validation where kdig was needed for --> https://gitlab.com/ummeegge/dot-for-ipfire/blob/master/dot_wui/check_connect... . Thinking a little further it might be nice to have some colour codes explained via 'Legend' in the WUI. So for example: Green = Encryption, authentication, DNSSEC works. Orange = Encryption, authentication, No DNSSEC. Blue = Encryption works but no authentication and no DNSSEC. RED = No Encryption --> no connection.
Just as a first idea on how the users can also see what is happening with their DNS servers ? The query time might also be nice to see...
I would like to coordinate how we are moving forward with this now. Hands up! :)
There is basically no pressure on us to deliver this as soon as possible, but it is a nice feature and many have been asking for this. So maybe we can target Core Update 131 or earlier!
-Michael
Some thoughts from here.
@Michael, Are their plans to enable DoT also for ns2.lightningwirelabs.com and ns3.lightningwirelabs.com ? Have seen that on ns1.lightningwirelabs.com the ED25519 curve is mostly not available but instead SECP256R1, just to inform you :-).
Best,
Erik